I recently helped a client who had their server hacked. The hackers added some PHP code into the header of the homepage redirecting the user to a porn website — but only if they came from Google. This made it slightly harder for the client to spot. The client would see the website fine. Only new website visitors from Google would be directed to the porn site.

Last night a similar thing appeared to happen to a different client. I assumed it was a similar hack, but when I checked the codebase I could not find any malicious code.
His chrome browser is redirecting from the clients website to www(dot)pc-site(dot)com. I cannot replicate this behaviour. I guess it is possible that malicious code is being added and removed. So I need a more comprehensive way to tell if the server has been hacked.

Only 2 developers have access to this dedicated server (and the hosting company Rackspace).
The server is Red Hat Linux.

What are the steps I go through to find out if the server has been hacked?

4 Answers
4

Logs. If you have root access you should check things like history which will give you command history and log files in /var/logs.

Baseline. If you have a baseline like file hashes to work with for application and system files this will help a lot. You can also use backups to compare a previous state. If using a backup to compare files, use a slightly older one if you can. The site may have been compromised a while before and it is only now that the redirect has been activated.

Check any includes. The files may not be on your server. They may be script includes such as <script src=”http://baddomain.com/s.js” /> or iframe type tags. Also do not exclude images, PDFs of Flash (SWF), video files. It is a fairly common trick to embed links in to files of a different content type. I would suggest you inspect them by hand particularly at the start and end of a file. The file may be completely a link/html/javascript or may be a legitimate image file with a link trailing at the end of the file.

Check for unusual file dates, sizes and permissions e.g. 777.

Check cron jobs for unusual jobs. Someone compromising a system will often leave a back door to get back in again and again. Cron is a very popular way to do this if they managed to get that far.

Check for the absence of files, you may not be able to have access to logs but the absence of them is equally a tell tail sign that someone has cleaned up after themself.

Use search engines. Not surprising search engines are great at finding everything. Use directives like site: e.g. site:yoursitehere.com baddomain.com see if you get any hits.

Often a link or redirect will be obfuscated so long javascript code with single letter variables should be analyzed carefully.

Do a packet capture with a tool like Wireshark or tcpdump from a secure workstation to the site. Save it to file and search the file for a parts of the url.

Check database records that may be queried or updated. The link could be injected in the database not the PHP.

Don't exclude the client's workstation. Use a free online virus scanner if need be. Also check nslookup and see what that resolves to. Check browser extensions, clear cache and check hosts files.

To clean it up (if you are compromised) you really do need to go back to bare metal and reinstall. It is painful but is really the only way to be sure that you have got the whole lot.

To prevent it in the future you should be doing the following (although you may already be doing some of these):

Harden servers, including using vendor recommendations on secure configurations, using up-to-date software. Apply tight security control such as permissions, password policies. Also see folder and file permission shared host advice.

Implement quality control proceedures such as testing on low security environments, code review and testing.

Use Intrusion Prevention System (IPS) tools. However depending on your hosting provider you may have limitations on what you can use. Host based IPS tools should be ok if you have a dedicated virtual machine.

Hope that helps. Otherwise maybe you could provide more information about the systems you are running?

As @Dgarcia said, a quick method is to use something like Tripwire or other tool which monitors files or the hashes of files to check for changes. This works to identify servers compromised by many types of attack.

It may not work for ones where a rootkit has been installed that counteracts this process.

It will not work for servers which have fallen prey to a memory-only compromise or one that doesn't touch the files you are monitoring.

For 1, your only option is a rebuild from scratch

For 2, your best option is a rebuild from scratch, as any compromise could implement backdoors that will break anything you try to fix, but other steps could be useful:

check your webserver and php versions and use these to search on an Advisories list for known exploits - this will help you identify areas which may have been compromised. Then

check your web application code

check your webserver configs

check the client's machine (for hosts file, DNS etc) as it may actually be the problem

How do I know that a rebuild will not contain the same vulnerabilities? Red hat enterprise keeps software safe(ish) I assume? The web app code could be at fault for sure (this could be the most likely route in). Is there a standard set of web server configs to check i.e. changing passwords and ports on a set number of services. We are also continuing to check the clients machine - he is no longer getting the issue, but we still do not know why it happened.
–
BozSep 23 '11 at 11:57

A rebuild may contain the same vulnerabilities, sure, but it gets rid of the compromised code - which could remain if you do not do a full wipe! There are questions on here on hardening servers, eg: security.stackexchange.com/q/77/485
–
Rory Alsop♦Sep 23 '11 at 16:07

This is a tough question to answer because it is so broad. There are two categories of "hacks" in my book - minor and serious. I would class a rootkit in the serious category and your average script injection attack as minor. While with minor attacks you can clean them up, you can't be 100% certain you've removed them or closed all access to repeat the attack but you can be 99%-ish certain by analyzing the attack for key factors such as "Was this person a good programmer?" and "What was the person's intent?" Rootkits are nasty business. Removing a rootkit requires a complete wipe and restore. Detecting one remotely is nearly impossible - you have to have physical access to the machine and a boot disk in hand to be certain.

More importantly is prevention. The adage "an ounce of prevention is worth a pound of cure" is completely true in this context. Install software that lets you monitor various aspects of the system and sends daily or even hourly reports. Tripwire was mentioned, but there are other tools out there too. I recommend using a couple of different tools - homegrown ones are harder to locate and aren't difficult to author. You want to build a solid defense and limit access to the system. Don't just let anyone in the world have access to the SSH port (at least restrict it by IP address/small range of IPs). Stick a dedicated firewall in front of each server so there is an extra layer of protection. You don't want to let the box itself be the only line of defense. Only manage critical data with the server over SSH/SSL so everything is encrypted and free from prying eyes. Don't ever manage your servers from open WiFi networks.

A lot of sites use MySQL or a similar database. Detecting things like XSS attacks or other rogue data in a database isn't easy because there are schema-dependent issues. I haven't seen any solutions for this problem but I wouldn't doubt they exist.

A fast method is to have the md5 of the all the files that you know are healthy. If you suspect your site is behaving bad or as a regular inspection you can do the check over the files. If any of the md5 doesn't match you can diff the files and peruse the changes.

Obviously this does not work with dinamic files: logs, database dumps, etc. If you can't track the changes.

There are, of course, multiple methods (inspect logs...) and preventions, but this is an easy and fast way.

We are moving to Github - so another method could be to run git on the live server and see what changes have been made through finding files to be committed. The issue however, is that I think the codebase is fine. I'm hoping to find out how the server has been compromised without using the codebase...
–
BozSep 23 '11 at 9:34

4

@dgarcia: Check what a rootkit is and why it's undetectable when written correctly. Let's say that there's one file in the system: /is_hacked.txt, containing the string "YES" or "NO". If the string is "NO", the computer is not hacked, else it is. Let's assume the system is hacked, and the content changed to "YES". However, part of the hack is a rootkit, serving also to disguise the fact. It has hijacked the fopen() system calls, so that any attempt to open (and read) a file needs to pass through the malicious code.
–
PiskvorSep 23 '11 at 10:27

1

...So, if you just go ahead and try to check /is_hacked.txt, the malicious code will detect this, and instead of returning the actual content ("YES"), it will return whatever fake content it wants ("NO"), for every time you open that file. You can verify this all you want, to an outside observer, it will appear as if /is_hacked.txt contains "NO" - so there will be no difference seen by the diff.
–
PiskvorSep 23 '11 at 10:29

1

...Useless? Not at all - this can be done for anything that happens on the system: Replace /is_hacked.txt with /sbin/su or C:\WINDOWS\SYSTEM32\kernel32.dll, and voila! No way to detect that someone messed with them, unless you boot the server from an uninfected source (e.g. a known-good CD). (Of course, such low-level hijinks are hard to pull off, so a badly-written rootkit may be detected by unusually high number of system crashes; see the infamous Sony DRM for an example)
–
PiskvorSep 23 '11 at 10:32

3

@dgarcia: Am not ;) All I'm saying is that once your server's been hacked, it is no longer trustworthy; you could scan it all you want, but you can never be sure that it's clean. Nuke from orbit and reinstall from known-good media. It's the only way to be sure. But of course, if you want to run a server that may or may not fully under your control, that's your privilege. (Btw no, this doesn't happen all the time, I'm not even remotely suggesting that. By comparison - do you use the airbags in your car often? Then why don't you just rip them out?)
–
PiskvorSep 23 '11 at 10:53